The Toe!

The big, nasty, pointy bulge on my toe is getting removed! Those of you that know me well know exactly what I'm talking about. It's about time!

How to be secure on an insecure wireless network

This is for all of you Linux geeks out there like me. 

Before we get started, here's a list of requirements:

• A computer or virtual machine running some flavor of Linux
  
• SSH Server installed on that Linux box
  
• Knowledge of PuTTY and the SSH command-line and protocol
  
• Knowledge of IP Ports and IP addressing
  

I'm sure most Linux people know how to use SSH, and I'm sure most Linux people have SSH access to a machine on their network from the outside world through DynDNS or something like it. If you don't have these things, stop reading and do it.

I've seen a couple of articles on how to do this already, but they're usually winded and annoyingly detailed. For those of you Linux geeks that know what they're doing, here's the lowdown on how to encrypt your data on an insecure wireless network (like at a hotel, coffee shop or your neighbor's house).

First of all, I'm assuming you're using PuTTY on a Windows machine to connect to your SSH machine. You can do this from a Linux machine as well, but you have to know how to do port forwarding using the SSH command line (unless there's some ssh GUI out there for Linux, which I'm sure there is). If you've never used port forwarding (known as "tunneling" on PuTTY), you're in for a treat. If you look under the "Connection" category on the PuTTY menu, there's a branch that says "SSH." Open that up and go "Tunnels." Let the magic begin! Using SSH Tunnels, you can access virtually any network resource that the machine you're SSHing into can. 

On the Tunnels screen, you need to know what the different (and poorly named) fields mean. First is the "Source Port." We'll discuss that one later. Next is the "Destination." This is the [host]:[port] that you want to be able to tunnel into. For example, say you have a SSH tunnel into your Linux box and you have another machine broadcasting your music using Icecast or something. That machine has an IP of 192.168.0.101 and Icecast is listening on port 8000. For destination, enter 192.168.0.101:8000. Now here's where the source port comes in. For source port, enter something like 1234. Click Add. Don't forget to go back to the "Session" category and save the settings. Now connect to your SSH machine. To listen to your Icecast stream, open up whatever program you use (i.e. VLC) and for the server address, enter localhost:1234. Now you're listening to your Icecast stream, through SSH. 

Let's review. Destination is the machine and port you want to connect to through your SSH connection. Source port is the port that the machine you are connecting from will use to tunnel with. So if you have the source port as 1234, no matter what protocol or service you're connecting to, you'll use localhost:1234 to connect to it. If you set the source port as 9876, then you'll use localhost:9876 to connect through the SSH tunnel to the destination port on the other end. 

So how can you be secure on an insecure wireless? You'll need to setup Squid (a proxy server) on a machine on the network you're connecting to.  All you need to do is install Squid and use the defaults and it should be good to go. By default, Squid listens on port 3128. So here's what you do for your setup:

Squid Setup:

Squid Server's IP: 192.168.0.200

Squid Server's Port: 3128

PuTTY Setup:

Destination: 192.168.0.200:3128

Source Port: 1234 (or whatever you want)

Don't forget to click "Add," and don't forget to save the settings. Now, once you've connected using SSH, you have an encrypted tunnel into your Squid proxy server. Now open up your web browser of choice and change the proxy settings to use localhost:1234 for your proxy and make sure to set it to use that proxy for all protocols (http, https, ftp, etc). Now when you browse the internet, your browser is sending the data through the encrypted SSH connection, to your Squid server which is actually getting the web page's data. That means all of the data is encrypted, therefore securing your data if you're using an insecure wireless network.

Cool, huh? You can use this same technique for VNC connections, FTP, RDP, or whatever you want to make more secure or have easier access to from the outside world.

Oh, and FYI, you can most likely use this technique to bypass your employer's proxy server,  unless they're really paranoid and block all unnecessary protocols or monitor traffic on all 65,000 ports. Of course, even if they do monitor the traffic on all ports, because the connection is encrypted they can only see the amount of data being transferred, not the actual data. But you didn't hear that from me. :c)

Advanced usage: If you really want to make sure that your connection is safely encrypted, I highly recommend generating a key pair for the machine you're connecting from to the machine you're connecting to. This way, if someone (like you're employer's network admin) tries to man-in-the-middle your SSH connection, you'll get a big, nasty warning that the key pair doesn't match.